[unisog] Do Windows file access, file mod, file create timestamps lie?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Sep 19 17:48:17 GMT 2007
On Wed, 19 Sep 2007 13:23:48 EDT, Brian Smith-Sweeney said:
> Read-only volumes should be read-only. Representing them otherwise,
> even if you're not actually modifying them, is a Bad Thing.
My personal pet peeve - Linux ext3 file system journalling will insist on
replaying the journal even if you mount it as 'readonly'. Wonderful semantics
if you're a user/sysadmin - it brings the filesystem into a consistent state
and then enforces no userspace writes. Sucks if you're a kernel/filesystem
developer or forensics person who *cares* about what's in the journal as it's
relevant to why you're trying to access a filesystem without journal replay...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070919/69fcece3/attachment.bin
More information about the unisog
mailing list